Hackers steal $1.75 million from Catholic church in Ohio

Graham Cluley

Hackers steal $1.75 million from Catholic church in Ohio

Hackers steal $1.75 million from Catholic church in Ohio
Saint Ambrose Catholic Parish in Brunswick, Ohio, is a pretty big church community. With 5,000 families and 16,000 members in its congregations you can imagine that they bring in a fair bit of moolah each Sunday.

But that kind of cash in the bank can attract the wrong kind of people.

In a letter to parishioners, Father Bob Stec shared some bad news this weekend:

Parish letter

On Wednesday of Holy Week, I received some very difficult news that I need to share with you this weekend at Mass, and by way of this letter. Our Vision 2020 Team has been working hand in hand with Marous Brothers Construction to renew our Church. By all accounts, the project has been going extremely well –both on time and on budget.

On Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months totaling approximately $1,750,000. This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous wer eexecuted/confirmed. I contacted the Brunswick Police, our bank, Marous Brothers, and the Diocese immediately, and the FBI was also brought in.

Upon a deeper investigation by the FBI, we found that our email system was hacked and the perpetrators were able to deceive us into believing Marous Brothers had changed their bank and wiring instructions. The result is that our payments were sent to a fraudulent bank account and the money was then swept out by the perpetrators before anyone knew what had happened. Needless to say, this was very distressing information.

In short, the church fell foul of a business email compromise (BEC) attack, as fraudsters posed as the company hired to conduct genuine construction work.

Construction

Hackers broke into two email accounts belonging to the church (perhaps as a result of phishing, although keylogging malware or password reuse are also possible explanations) and staff were tricked into believing that their contractors’ bank account details had changed.

Sure enough, when the next payment was made $1,750,000 was wired to a bank account under the control of the hackers.

One has to hope that any insurance policies the church has in place cover business email compromise. At least it’s unlikely the insurers will blame it all on an “act of God.” (Sorry, I’m so sorry…)

Stec apologises to parishioners in his letter:

“Please know how very sorry I am that this has occurred in our parish community. If I/we had any idea, any clue, any information that the money was not being sent to the right account, we would have addressed it immediately.”

It’s easy to be wise after the event, but organisations should put measures in place to rigorously confirm and verify whenever bank account details have changed to ensure that the change is authorised. It also makes sense to harden email systems with strong, unique passwords and multi-factor authentication to make it harder for hackers to break into accounts. Furthermore, staff should receive training to be on the lookout for the tricks commonly used by scammers.

Don’t feel too superior. More and more firms are being hit by business email compromise attacks because it’s one of the easiest ways for online criminals to steal what can be a huge amount of money, without needing very much in the way of technological prowess.

It could be you next. There but for the grace of God, go I…

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.